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A  BILL 

To  amend  title  18,  United  States  Code,  to  preserve  personal 
privacy  with  respect  to  medical  records  and  health  care- 
related  information,  and  for  other  purposes. 

1  Be  it  enacted  by  the  Senate  and  House  of  Representa- 

2  tives  of  the  United  States  of  America  in  Congress  assembled, 

3  SECTION  1.  SHORT  TITLE. 

4  This  Act  may  be  cited  as  the  "Health  Care  Privacy 

5  Protection  Act". 
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1  SEC.  2.  FINDINGS  AND  PURPOSES. 

2  (a)  Findings. — The  Congress  finds  as  follows: 

3  (1)  The  right  to  privacy  is  a  personal  and  fun- 

4  damental  right  protected  by  the  Constitution  of  the 

5  United  States. 

6  (2)  The  improper  disclosure  of  personally  iden- 

7  tillable  health  care  information  may  cause  signifi- 

8  cant  harm  to  a  person's  interest  in  privacy,  health 

9  care,  and  reputation  and  may  unfairly  affect  the 

10  ability  of  a  person  to  obtain  employment,  education, 

11  insurance,  and  credit. 

12  (3)  The  movement  of  people  and  health  care-re- 

13  lated  information  across  State  lines,  availability  of 

14  access  to  and  exchange  of  health  care-related  infor- 

15  mation  from  automated  data  banks  and  networks, 

16  and  emergence  of  multistate  health  care  providers 

17  and  payors  create  a  need  for  uniform  Federal  law 

18  governing  the  disclosure  of  health  care  information. 

19  (b)  Purpose. — The  purpose  of  this  Act  is  to  estab- 

20  lish  effective  mechanisms  to  protect  the  privacy  of  persons 

21  with  respect  to  personally  identifiable  health  care  informa- 

22  tion  that  is  created  or  maintained  as  part  of  health  treat- 

23  ment,  enrollment,  payment,  or  testing  processes. 
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1  TITLE  I— JUDICIAL 

2  PROCEEDINGS 

3  SEC.  101.  PRIVACY  OF  PERSONALLY  IDENTIFIABLE  HEALTH 

4  CARE  INFORMATION. 

5  (a)  Offense. — Part  I  of  title  18,  United  States 

6  Code,  is  amended  by  inserting  after  chapter  84,  the  follow- 

7  ing  new  chapter: 

8  "CHAPTER    84A— PRIVACY    OF  PERSON- 

9  ALLY  IDENTIFIABLE  HEALTH  CARE  IN- 

10  FORMATION 

"Sec. 

"1755.  Wrongful  disclosure  of  personally  identifiable  health  care  information. 
"1756.  Misuse  of  health  security  card  or  unique  identifier. 

11  "§1755.  Wrongful  disclosure  of  protected  health  in- 

12  formation 

13  "(a)  Definitions. — 

14  "(1)  PROTECTED  HEALTH  INFORMATION. — The 

15  term  "protected  health  information"  means  any  in- 

16  formation,  whether  oral  or  recorded  in  any  form  or 

17  medium,  that — 

18  "(A)(i)  is  created  or  received  by  a  health 

19  care  provider,  health  benefit  plan,  health  over- 

20  sight  agency,  public  health  authority,  or  re- 

21  gional  data  center;  or 
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1  "(ii)  is  created  or  received  by  an  employer 

2  through  the  process  of  testing  or  screening  ap- 

3  plicants  or  employees;  and 

4  "(B)  relates  to  the  past,  present,  or  future 

5  physical  or  mental  health  or  condition  of  an  in- 

6  dividual,  the  provision  of  health  care  to  an  indi- 

7  vidual  or  payment  for  the  provision  of  health  to 

8  an  individual  and — 

9  "(i)  identifies  the  individual;  or 

10  "(ii)  with  respect  to  which  there  is  a 

11  reasonable  basis  to  believe  that  the  infor- 

12  mation  can  be  used  to  identify  the  individ- 

13  ual. 

14  "(2)  Health  care. — The  term  'health  care' — 

15  "(A)  means — 

16  "(i)  a  preventative,  diagnostic,  thera- 

17  peutic  rehabilitative,  maintenance,  or  pal- 

18  liative     care,     counseling,     service,  or 

19  procedure — 

20  "(I)  with  respect  to  the  physical 

21  or  mental  condition  of  an  individual; 

22  or 

23  "(II)  affecting  the  structure  of 

24  function  of  the  human  body  or  any 

25  part  of  the  human  body;  or 
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1  "(ii)  any  sale  or  dispensing  of  a  drug, 

2  device,  equipment,  or  other  item  to  an  indi- 

3  vidual,  or  for  the  use  of  an  individual,  pur- 

4  suant  to  a  prescription;  and 

5  "(B)  does  not  include  any  item  or  service 

6  that  is  not  furnished  for  the  purpose  of  examin- 

7  ing,  maintaining  or  improving  the  health  of  an 

8  individual. 

9  "(b)  OFFENSE. — A  person  who  knowingly — 

10  "(1)  obtains  protected  health  information  relat- 

11  ing  to  an  individual  in  violation  of  title  II  of  the 

12  Health  Care  Privacy  Protection  Act;  or 

13  "(2)  discloses  protected  health  information  to 

14  another  person  in  violation  of  title  II  of  the  Health 

15  Care  Privacy  Protection  Act, 

16  shall  be  punished  as  provided  in  subsection  (c). 

17  "(c)  Penalties. — A  person  who  violates  subsection 

18  (b)  shall— 

19  "(1)  be  fined  not  more  than  $50,000,  impris- 

20  oned  not  more  than  1  }^ear,  or  both; 

21  "(2)  if  the  offense  is  committed  under  false  pre- 

22  tenses,  be  fined  not  more  than  $100,000,  imprisoned 

23  not  more  than  5  years,  or  both;  and 

24  "(3)  if  the  offense  is  committed  with  intent  to 

25  sell,  transfer,  or  use  protected  health  information  for 
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1  commercial  advantage,  personal  gain,  or  malicious 

2  harm,  fined  not  more  than  $250,000,  imprisoned  not 

3  more  than  10  years,  or  both. 

4  "§  1756.  Misuse  of  health  security  card  or  unique 

5  identifier 

6  "A  person  who — 

7  "(1)  requires  the  display  of,  requires  the  use  of, 

8  or  uses  a  health  security  card  that  is  issued  under 

9  section  1001(b)  of  the  Health  Security  Act  for  any 

10  purpose  other  than  a  purpose  described  in  section 

11  5105(a)  of  that  Act;  or 

12  "(2)  requires  the  disclosure  of,  requires  the  use 

13  of,  or  uses  a  unique  identifier  number  provided 

14  under  section  5104  of  that  Act  for  any  purpose  that 

15  is  not  authorized  by  the  National  Health  Board  pur- 

16  suant  to  that  section, 

17  shall  be  fined  not  more  than  $25,000,  imprisoned  not 

18  more  than  2  ^years,  or  both.". 

19  (b)  Technical  Amendment. — The  part  analysis  for 

20  part  I  of  title  18,  United  States  Code,  is  amended  by  in- 

21  serting  after  the  item  related  to  chapter  84,  the  following 

22  new  item: 

"84A.  Privacy  of  personally  identifiable  health  care  information    1755.". 
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1  TITLE  II— LIMITATIONS  ON  DIS- 

2  CLOSURE     OF  PROTECTED 

3  HEALTH  INFORMATION 

4  SEC.  201.  DEFINITIONS. 

5  In  this  title: 

6  (1)    Health    benefit    plan. — The  term 

7  "health  benefit  plan"  means  a  public  or  private  en- 

8  tity  or  program  that  provides  payments  for  health 

9  care  or  that  provides  life  insurance — 

10  (A)  including — 

11  (i)  a  group  health  plan  (as  defined  in 

12  section  607  of  the  Employee  Retirement 

13  Income  Securitv  Act  of  1974  (29  U.S.C. 

14  1167)),  employer  self-insurance  plan,  or  a 

15  multiple  employer  welfare  arrangement  (as 

16  defined  in  section  3  of  that  Act  (29  U.S.C. 

17  1002))  providing  health  benefits; 

18  (ii)   any  other  health  insurance  ar- 

19  rangement,    including    any  arrangement 

20  consisting  of  a  hospital  or  medical  expense 

21  incurred  policy  or  certificate,  hospital  or 

22  medical  sendee  plan  contract,  health  main- 

23  tenance  organization  subscriber  contract; 

24  and 

25  (iii)  a  life  insurance  plan; 
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1  (B)  but  not  including — 

2  (i)  an  individual  who  makes  a  pay- 

3  ment  on  the  individual's  own  behalf  (or  on 

4  behalf  of  any  other  individual)  for  health 

5  care    or    for    deductibles,  coinsurance, 

6  copayments,  items,  or  services  not  covered 

7  under  a  health  insurance  arrangement; 

8  (ii)  a  plan  sponsor  (as  defined  in  sec- 

9  tion  3  of  the  Employee  Retirement  Income 

10  Security  Act  of  1974  (29  U.S.C.  1002)); 

11  (iii)  an  employer  of  an  employee  cov- 

12  ered  under  a  multiple  employer  welfare  ar- 

13  rangement; 

14  (iv)   an  emploj^ee  organization  that 

15  sponsors  a  multiple  employer  welfare  ar- 

16  rangement;  or 

17  (v)  an  organization,  association,  com- 

18  mittee,  joint  board  of  trustees,  or  similar 

19  group  of  representatives  of  2  or  more  em- 

20  ployers  described  in  clause  (iii)  or  2  or 

21  more  employee  organizations  described  in 

22  clause  (iv). 

23  (2)  Health  care. — The  term  "health  care" — 

24  (A)  means — 
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1  (i)  a  preventative,  diagnostic,  thera- 

2  peutic,  rehabilitative,  maintenance,  or  pal- 

3  liative     care,     counseling,     service,  or 

4  procedure — 

5  (I)  with  respect  to  the  physical  or 

6  mental  condition  of  an  individual;  or 

7  (II)   affecting  the  structure  or 

8  function  of  the  human  body  or  any 

9  part  of  the  human  body;  or 

10  (ii)  any  sale  or  dispensing  of  a  drug, 

1 1  device,  equipment,  or  other  item  to  an  indi- 

12  vidual,  or  for  the  use  of  an  individual,  pur- 

13  suant  to  a  prescription;  but 

14  (B)  does  not  include  any  item  or  service 

15  that  is  not  furnished  for  the  purpose  of  examin- 

16  ing,  maintaining,  or  improving  the  health  of  an 

17  individual. 

18  (3)    Health    care    provider. — The  term 

19  "health  care  provider"  means  a  person  who  is  li- 

20  censed,  certified,  registered,  or  otherwise  authorized 

21  by  law  to  provide  an  item  or  service  that  constitutes 

22  health  care  in  the  ordinary  course  of  business  or 

23  practice  of  a  profession. 

24  (4)    Health   information   trustee. — The 

25  term  "health  information  trustee"  means — 
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1  (A)  a  health  care  provider,  health  benefit 

2  plan,  health  oversight  agency,  regional  data 

3  center,  or  employer,  insofar  as  it  creates,  re- 

4  ceives,  maintains,  uses,  or  transmits  protected 

5  health  information;  and 

6  (B)   any  person  who   obtains  protected 

7  health  information  under  section  207,  208,  209, 

8  210,  211,  212,  or  215. 

9  (5)  Health  oversight  agency. — The  term 

10  "health  oversight  agency"  means  a  person  that — 

11  (A)  performs  or  oversees  the  performance 

12  of  an  assessment,  evaluation,  determination,  or 

13  investigation  relating  to  the  licensing,  accredita- 

14  tion,  or  certification  of  health  care  providers;  or 

15  (B)(i)  performs  or  oversees  the  perform- 

16  ance  of  an  assessment,  evaluation,  determina- 

17  tion,  or  investigation  relating  to  the  effective- 

18  ness  of,  compliance  with,  or  applicability  of 

19  legal,  fiscal,  medical,  or  scientific  standards  or 

20  aspects  of  performance  related  to  the  delivery 

21  of,  or  payment  for,  health  care  or  relating  to 

22  health  care  fraud  or  fraudulent  claims  for  pay- 

23  ment  regarding  health;  and 

24  (ii)  is  a  public  agencj',  acting  on  behalf  of 

25  a  public  agency,  acting  pursuant  to  a  require- 
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1  ment  of  a  public  agency,  or  carrying  out  activi- 

2  ties  under  a  Federal  or  State  statute  governing 

3  the  assessment,  evaluation,  determination,  or 

4  investigation. 

5  (6)  Health  researcher. — The  term  "health 

6  researcher"  means  a  person  who  conducts  a  bio- 

7  medical,  epidemiological,  or  health  services  research 

8  project  or  a  health  statistics  project  that  has  been 

9  approved  by — 

10  (A)  an  institutional  review  board  for  the 

1 1  organization  sponsoring  the  project; 

12  (B)  an  institutional  review  board  for  each 

13  health  information  trustee  that  maintains  pro- 

14  tected  health  information  intended  to  be  used  in 

15  the  project;  or 

16  (C)  an  institutional  review  board  estab- 

17  lished  or  designated  by  the  Secretary. 

18  (7)  Institutional  review  board. — The  term 

19  "institutional  review  board"  means — 

20  (A)  a  board  established  in  accordance  with 

21  regulations   of  the   Secretary  under  section 

22  491(a)  of  the  Public  Health  Service  Act  (42 

23  U.S.C.  289); 
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1  (B)  a  similar  board  established  by  the  Sec- 

2  retary  for  the  protection  of  human  subjects  in 

3  research  conducted  by  the  Secretary;  or 

4  (C)  a  similar  board  established  under  regu- 

5  lations  of  a  Federal  Government  authority  other 

6  than  the  Secretary. 

7  (8)  Law  enforcement  inquiry. — The  term 

8  "law  enforcement  inquiry"  means  an  investigation  or 

9  official  proceeding  inquiring  into  whether  there  is  a 

10  violation  of,  or  failure  to  comply  with,  any  criminal 

11  or  civil  statute  or  any  regulation,  rule,  or  order  is- 

12  sued  pursuant  to  such  a  statute. 

13  (9)  Person. — The  term  "person"  includes  an 

14  authority  of  the  United  States,  a  State,  or  a  political 

15  subdivision  of  a  State. 

16  (10)  Protected  health  information. — The 

17  term  "protected  health  information"  means  any  in- 

18  formation,  whether  oral  or  recorded  in  any  form  or 

19  medium,  that — 

20  (A)(i)  is  created  or  received  by  a  health 

21  care  provider,  health  benefit  plan,  health  over- 

22  sight  agency,  public  health  authority,  or  re- 

23  gional  data  center;  or 
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1  (ii)  is  created  or  received  by  an  employer 

2  through  the  process  of  testing  or  screening  ap- 

3  plicants  or  employees;  and 

4  (B)  relates  to  the  past,  present,  or  future 

5  physical  or  mental  health  or  condition  of  a  per- 

6  son,  the  provision  of  health  care  to  a  person,  or 

7  payment  for  the  provision  of  health  care  to  an 

8  individual  and — 

9  (i)  identifies  the  individual;  or 

10  (ii)  with  respect  to  which  there  is  a 

11  reasonable  basis  to  believe  that  the  infor- 

12  mation  can  be  used  to  identify  the  individ- 

13  ual. 

14  (11)  Public  health  authority. — The  term 

15  "public  health  authority"  means  an  authority  or  in- 

16  strumentality  of  the  United  States,  a  State,  or  a  po- 

17  litical  subdivision  of  a  State  that  is  (A)  responsible 

18  for  public  health  matters;  and  (B)  engaged  in  such 

19  activities  as  injury  reporting,  public  health  surveil- 

20  lance,  and  public  health  investigation  or  interven- 

21  tion. 

22  (12)  Regional  date  center. — The  term  "re- 

23  gional  data  center"  means — 


S  2129  PCS 


14 

1  (A)  an  entity  established  in  accordance 

2  with  the  Health  Security  Act  and  designated  as 

3  such  by  the  Secretary; 

4  (B)   an  entity  that  receives,  maintains, 

5  uses,  or  transmits  information  regarding  health 

6  for  payment,  statistical,  or  research  purposes. 

7  (13)     Secretary. — The    term  "Secretary" 

8  means  the  Secretary  of  Health  and  Human  Services. 

9  (14)  State.— The  term  "State"  includes  the 

10  District  of  Columbia,  Puerto  Rico,  the  Virgin  Is- 

11  lands,  Guam,  American  Samoa,  and  the  Northern 

12  Mariana  Islands. 

13  SEC.  202.  GENERAL  LIMITATIONS  ON  DISCLOSURE. 

14  (a)  In  General. — 

15  (1)    Disclosure   within   a   trustee. — A 

16  health  information  trustee  may  disclose  protected 

17  health  information  to  an  officer,  emploj^ee,  or  agent 

18  of  the  trustee  only  for  a  purpose  that  is  compatible 

19  with  and  related  to  the  purpose  for  which  the 

20  information — 

21  (A)  was  collected;  or 

22  (B)  was  received  by  that  trustee. 

23  (2)   Disclosure   outside  a  trustee. — A 

24  health  information  trustee  may  disclose  protected 

25  health  information  to  a  person  other  than  an  officer, 
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1  employee,  or  agent  of  the  trustee  only  for  a  purpose 

2  that  is  authorized  under  this  Act. 

3  (3)  Scope  of  disclosure. — 

4  (A)  In  general. — Every  disclosure  of  pro- 

5  tected  health  information  by  a  health  informa- 

6  tion  trustee  shall  be  limited  to  the  minimum 

7  amount  of  information  necessaiy  to  accomplish 

8  the  purpose  for  which  the  information  is  dis- 

9  closed. 

10  (B)  Guidelines. — Not  later  than  July  1, 

11  1996,  the  Attorney  General,  in  consultation 

12  with  the  Secretary,  after  notice  and  opportunity 

13  for  public  comment,  shall  issue  guidelines  to  im- 

14  plement  subparagraph  (A),  which  shall  take 

15  into  account  the  technical  capabilities  of  the 

16  record  sj^stems  used  to   maintain  protected 

17  health  information  and  the  costs  of  limiting  dis- 

18  closure. 

19  (4)  Identification  of  disclosed  informa- 

20  TION  AS  PROTECTED   INFOR1UATION. — Except  with 

21  respect  to  protected  health  information  that  is  dis- 

22  closed  under  section  217,  and  except  as  provided  in 

23  paragraph  (5),  a  health  information  trustee  may  not 

24  disclose  protected  health  information  unless  such  in- 
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1  formation  is  clearly  identified  as  protected  health  in- 

2  formation  that  is  subject  to  this  section. 

3  (5)  Routine  disclosures  subject  to  writ- 

4  TEN  AGREEMENT. — A  health  information  trustee 

5  who  routinely  discloses  protected  health  information 

6  to  a  person  may  satisfy  the  identification  require- 

7  ment  in  paragraph  (4)  through  a  written  agreement 

8  between  the  trustee  and  the  person  with  respect  to 

9  the  protected  health  information. 

10  (6)  Agreement  to  limit  disclosure. — A 

11  health  information  trustee  who  receives  protected 

12  health  information  from  any  person  pursuant  to  a 

13  written  agreement  to  restrict  disclosure  of  the  infor- 

14  mation  to  a  greater  extent  than  would  otherwise  be 

15  required  under  this  section  shall  comply  with,  the 

16  terms  of  the  agreement,  except  in  circumstances  in 

17  which  disclosure  of  the  information  is  required  by 

18  law  notwithstanding  the  agreement. 

19  (7)     NO     GENERAL     REQUIREMENT     TO  DIS- 

20  CLOSE. — Except  as  provided  in  the  section  217  re- 

21  lating  to  inspection,  nothing  in  this  section  shall  be 

22  construed  to  require  a  health  information  trustee  to 

23  disclose  protected  health  information  not  otherwise 

24  required  to  be  disclosed  by  law. 
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1  cally  named  or  generically  described  in  the  author- 

2  ization  as  a  person  to  whom  such  information  may 

3  be  disclosed. 

4  (5)  Statement  of  intended  disclosures. — 

5  The  authorization  contains  an  acknowledgment  that 

6  the  individual  who  is  the  subject  of  the  information 

7  has  received  a  statement  of  the  disclosures  that  the 

8  person  to  receive  the  protected  health  information 

9  intends  to  make,  which  statement  shall  be  in  writ- 

10  ing,  on  a  form  that  is  distinct  from  the  authorization 

1 1  for  disclosure,  and  which  statement  must  be  received 

12  by  the  individual  authorizing  the  disclosure  on  or  be- 

13  fore  such  authorization  is  executed. 

14  (6)  Information  described. — The  informa- 

15  tion  to  be  disclosed  is  described  in  the  authorization. 

16  (7)  Authorization  timely  received. — The 

17  authorization  is  received  by  the  trustee  during  a  pe- 

18  riod  described  in  subsection  (c)(1). 

19  (8)  Disclosure  timely  made. — The  disclo- 

20  sure  occurs  during  a  period  described  in  subsection 

21  (c)(2). 

22  (b)  Authorizations  Requested  in  Connection 

23  With  Provision  of  Health  Care. — 

24  (1)  In  GENERAL. — A  health  information  trustee 

25  may  not  request  that  an  individual  person  provide  to 


S  2129  PCS 


19 

1  any  other  person  an  authorization  described  in  sub- 

2  section  (a)  on  a  day  on  which — 

3  (A)  the  trustee  provides  health  care  to  the 

4  individual  requested  to  provide  the  authoriza- 

5  tion;  or 

6  (B)  in  the  case  of  a  trustee  that  is  a  health 

7  facility,  the  individual  is  admitted  into  the  facil- 

8  ity  as  a  resident  or  inpatient  in  order  to  receive 

9  health  care. 

10  (2)  Exception. — Paragraph  (1)  does  not  apply 

11  if  a  health  information  trustee  requests  that  an  indi- 

12  vidual  provide  an  authorization  described  in  sub- 

13  section  (a)  for  the  purpose  of  assisting  the  individual 

14  in  obtaining  counseling  or  social  services  from  a  per- 

15  son  other  than  the  trustee. 

16  (c)  Time  Limitations  on  Authorizations. — 

17  (1)  Receipt  by  trustee. — For  purposes  of 

18  subsection  (a)(7),  an  authorization  is  timely  received 

19  if  it  is  received  by  the  trustee  during — 

20  (A)  the  l^ear  period  beginning  on  the 

21  date  on  which  the  authorization  is  signed  under 

22  subsection  (a)(1),  if  the  authorization  permits 

23  the  disclosure  of  protected  health  information  to 

24  a  person  who  provides  health  counseling  or  so- 

25  cial  services  to  individuals;  or 


S  2129  PCS 


22 

1  that  the  individual  may  have  under  common  or  statutory 

2  law  in  a  court  of  a  State  or  the  United  States. 

3  (g)  Additional  Requirements  of  Trustee. — A 

4  health  information  trustee  may  impose  requirements  for 

5  an  authorization  that  are  in  addition  to  the  requirements 

6  in  this  subsection. 

7  (h)  Copy. — A  health  information  trustee  who  dis- 

8  closes  protected  health  information  pursuant  to  an  author- 

9  ization  under  this  section  shall  maintain  a  copy  of  the  au- 

10  thorization  as  part  of  the  information. 

1 1  (i)  Rule  of  Construction. — This  section  shall  not 

12  be  construed — 

13  (1)  to  require  a  health  information  trustee  to 

14  disclose  protected  health  information;  or 

15  (2)  to  limit  the  right  of  a  health  information 

16  trustee  to  charge  a  fee  for  the  disclosure  or  repro- 

17  duction  of  protected  health  information. 

18  (j)  Subpoenas. — If  a  health  information  trustee  dis- 

19  closes  protected  health  information  pursuant  to  an  author- 

20  ization   in   order   to   comply  with   a   subpoena,  the 

2 1  authorization — 

22  (1)  shall  specifically  authorize  the  disclosure  for 

23  the  purpose  of  permitting  the  trustee  to  comply  with 

24  the  subpoena;  and 
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1  (2)  shall  otherwise  meet  the  requirements  in 

2  this  subsection. 

3  SEC.  204.  TREATMENT  AND  PAYMENT. 

4  (a)  In  General. — (1)  A  health  care  provider,  health 

5  benefit  plan,  employer,  or  person  that  receives  protected 

6  health  information  under  section  208  may  disclose  pro- 

7  tected  health  information  to  a  health  care  provider  for  the 

8  purpose  of  providing  health  care  to  an  individual  and  the 

9  individual  who  is  the  subject  of  the  information  has  not 

10  previously  objected  to  the  disclosure  in  writing. 

11  (2)  A  health  care  provider,  health  benefit  plan,  em- 

12  ployer,  regional  data  center  or  person  that  receives  pro- 

13  tected  health  information  under  section  208  may  disclose 

14  protected  health  information  to  a  health  benefit  plan  for 

15  the  purpose  of  providing  for  the  payment  for  health  care 

16  furnished  to  an  individual. 

17  (3)  A  health  care  provider,  or  health  benefit  plan  or 

18  person  that  receives  protected  health  information  under 

19  section  208  may  disclose  protected  health  information  to 

20  a  regional  data  center  for  the  purpose  of  carrying  out  its 

21  functions. 

22  (b)  Scope  of  Disclosure. — The  disclosure  of  pro- 

23  tected  health  information  under  this  section  shall  be  lim- 

24  ited  to  the  minimum  amount  necessary  to  accomplish  the 

25  purpose  for  which  the  disclosure  is  authorized. 
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1  (1)  the  individual  who  is  the  subject  of  the  in- 

2  formation  has  not  previously  objected  to  the  disclo- 

3  sure  after  being  notified  of  the  right  to  object;  and 

4  (2)  the  information  disclosed  relates  to  health 

5  care  currently  being  provided  to  that  individual. 

6  (b)  Directory  Information. — A  health  care  pro- 

7  vider  and  a  person  receiving  protected  health  information 

8  under  section  208  may  disclose  information  to  any  person 

9  if— 

10  (1)  the  information  does  not  reveal  specific  in- 

11  formation  about  the  plrysical  or  mental  condition  of 

12  the  individual  who  is  the  subject  of  the  information 

13  or  health  care  provided  to  that  person; 

14  (2)  the  individual  who  is  the  subject  of  the  in- 

15  formation  has  not  objected  in  writing  to  the  disclo- 

16  sure  after  being  notified  of  the  right  to  object;  and 

17  (3)  the  information  consists  only  of  1  or  more 

18  of  the  following  items: 

19  (A)  The  name  of  the  individual  who  is  the 

20  subject  of  the  information. 

21  (B)  If  the  individual  who  is  the  subject  of 

22  the  information  is  receiving  health  care  from  a 

23  health  care  provider  on  a  premises  controlled  by 

24  the  provider — 
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1  (i)  the  location  of  the  individual  on 

2  the  premises;  and 

3  (ii)  the  general  health  status  of  the  in- 

4  dividual,  described  as  critical,  poor,  fair, 

5  stable,  or  satisfactory  or  in  terms  denoting 

6  similar  conditions. 

7  (c)  Identification  of  Dead  Person. — A  health 


8  information  trustee  may  disclose  protected  health  informa- 

9  tion  if  necessarv  to  assist  in  the  identification  of  a  dead 

10  person. 

1 1  SEC.  207.  PUBLIC  HEALTH. 

12  (a)  In  General. — A  health  care  provider,  health 

13  benefit  plan,  public  health  authority,  employer,  or  person 

14  that  receives  protected  health  information  under  section 

15  208  may  disclose  protected  health  information  to  a  public 

16  health  authority  or  other  person  authorized  by  law  for  use 

17  in  legally  authorized — 


18  (1)  disease  or  injury  reporting; 

19  (2)  public  health  surveillance;  or 

20  (3)  public  health  investigation  or  intervention. 

21  (b)  Scope  of  Disclosure. — The  disclosure  of  pro- 


22  tected  health  information  under  this  section  shall  be  lim- 

23  ited  to  the  minimum  amount  necessary  to  accomplish  the 

24  purpose  for  which  the  disclosure  is  authorized. 
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1  SEC.  208.  EMERGENCY  CIRCUMSTANCES. 

2  (a)  In  General. — A  health  care  provider,  health 

3  benefit  plan,  employer,  or  person  that  receives  protected 

4  health  information  under  section  208  may  disclose  pro- 

5  tected  health  information  in  emergency  circumstances 

6  when  necessary  to  protect  the  health  or  safety  of  an  indi- 

7  vidua!  from  imminent  harm. 

8  (b)  Scope  of  Disclosure. — The  disclosure  of  pro- 

9  tected  health  information  under  this  section  shall  be  lim- 

10  ited  to  the  minimum  amount  necessary  to  accomplish  the 

11  purpose  for  which  the  disclosure  is  authorized  and  shall 

12  be  limited  to  persons  who  need  the  information  to  protect 

13  the  health  or  safety  of  the  individual. 

14  (c)  Use  in  Action  Against  Individual. — Pro- 

15  tected  health  information  about  an  individual  that  is  dis- 

16  closed  under  this  section  may  not  be  used  in,  or  disclosed 

17  to  any  person  for  use  in,  any  administrative,  civil,  or  crimi- 

18  nal  action  or  investigation  directed  against  the  individual 

19  except  when  the  use  or  disclosure  is  authorized  by  law  for 

20  protection  of  the  public  health. 

2 1  SEC.  209.  JUDICIAL  AND  ADMINISTRATIVE  PURPOSES. 

22  (a)  In  General. — A  health  care  provider,  health 

23  benefit  plan,  health  oversight  agency,  employer,  and  per- 

24  son  that  receives  protected  health  information  under  sec- 

25  tion  208  may  disclose  protected  health  information — 
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1  (1)  pursuant  to  the  Federal  Rules  of  Civil  Pro- 

2  cedure,  the  Federal  Rules  of  Criminal  Procedure,  or 

3  comparable  rules  of  other  courts  or  administrative 

4  agencies  in  connection  with  litigation  or  proceedings 

5  to  which  the  individual  who  is  the  subject  of  the  in- 

6  formation  is  a  party  and  in  which  the  individual  has 

7  placed  the  individual's  physical  or  mental  condition 

8  in  issue; 

9  (2)  if  ordered  by  a  court  in  connection  with  an 

10  examination  of  an  individual;  or 

11  (3)  pursuant  to  a  law  requiring  the  reporting  of 

12  specific  medical  information  to  law  enforcement  au- 

13  thorities. 

14  (b)  Scope  of  Disclosure. — The  disclosure  of  pro- 

15  tected  health  information  under  this  section  shall  be  lim- 

16  ited  to  the  minimum  amount  necessary  to  accomplish  the 

17  purpose  for  which  the  disclosure  is  authorized. 

18  (c)  Limit  on  Additional  Disclosure. — A  person 


19  that  receives  protected  health  information  under  this  sec- 

20  tion  may  use  the  information  and  disclose  such  informa- 

21  tion  only  for  the  purpose  for  which  it  was  received. 

22  SEC.  210.  health  research. 

23  (a)  In  General. — A  health  information  trustee  may 

24  disclose  protected  health  information  to  a  health  re- 

25  searcher  if  the  disclosure  is  for  use  in  a  health  research 
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1  project  that  has  been  determined  by  an  institutional  re- 

2  view  board  to  be — 

3  (1)  of  sufficient  importance  to  outweigh  the  in- 

4  trusion  into  the  privac}^  of  the  individual  who  is  the 

5  subject  of  the  information  that  would  result  from  the 

6  disclosure;  and 

7  (2)    necessary   for   the   effectiveness   of  the 

8  project. 

9  (b)  Obligations  of  Recipient. — A  person  who  re- 

10  ceives  protected  health  information  pursuant  to  subsection 

11  (a)— 

12  (1)  shall  remove  or  destroy,  at  the  earliest  op- 

13  portunity  consistent  with  the  purposes  of  the  project, 

14  information  that  would  enable  an  individual  to  be 

15  identified,  unless — 

16  (A)  an  institutional  review  board  has  de- 

17  termined  that  there  is  a  health  or  research  jus- 

18  tification  for  retention  of  such  identifiers;  and 

19  (B)  there  is  an  adequate  plan  to  protect 

20  the  identifiers  from  disclosure  that  is  inconsist- 

21  ent  with  this  section. 

22  (2)  shall  use  protected  health  information  solely 

23  for  purposes  of  the  health  research  project  for  which 

24  disclosure  was  authorized  under  this  section. 
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1  (c)  Scope  of  Disclosure. — The  disclosure  of  pro- 

2  tected  health  information  under  this  section  shall  be  lim- 

3  ited  to  the  minimum  amount  necessary  to  accomplish  the 

4  research  purpose  for  which  the  disclosure  is  authorized. 

5  (d)  Research  Requiring  Direct  Contact. — Pro- 

6  tected  health  information  may  not  be  disclosed  to  a  health 

7  researcher  for  a  research  project  that  includes  direct  con- 

8  tact  with  an  individual  who  is  the  subject  of  protected 

9  health  information  unless  the  individual  who  is  the  subject 

10  of  the  protected  health  information  has  been  given  notice 

11  by  the  health  information  trustee  that  such  contact  is  pos- 

12  sible  and  been  given  the  opportunit}^  to  object  to  the  dis- 

13  closure  and  the  individual  has  not  objected. 

14  SEC.  211.  LAW  ENFORCEMENT. 

15  (a)  In  General. — A  health  care  provider,  health 

16  benefit  plan,  health  oversight  agency,  health  researcher, 

17  employer,  or  other  person  that  receives  protected  health 

18  information  under  section  208  ma}'  disclose  protected 

19  health  information  to  a  law  enforcement  agency  (other 

20  than  a  health  oversight  agency  governed  by  section  205) 

21  if  the  information  is  requested  for  use — 

22  (1)  in  an  investigation  or  prosecution  of  a 

23  health  information  trustee; 
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1  (2)  in  the  identification  or  location  of  a  victim, 

2  suspect,  fugitive,  or  witness  in  a  law  enforcement  in- 

3  quiry;  or 

4  (3)   in  connection  with  the  investigation  of 

5  criminal  activity  committed  against  the  trustee  or  on 

6  premises  controlled  by  the  trustee. 

7  (b)  Certification. — When  a  law  enforcement  agen- 


8  cy  (other  than  a  health  oversight  agency)  requests  a  health 

9  information  trustee  disclose  protected  health  information 

10  under  this  subsection,  the  law  enforcement  agency  shall 

1 1  provide  the  trustee  with  a  written  certification  that — 


12  (1)  specifies  the  information  requested; 

13  (2)  states  that  the  information  is  needed  for  a 

14  lawful  purpose  under  this  section;  and 

15  (3)  is  signed  by  a  supervisory  official  of  a  rank 

16  designated  by  the  head  of  the  agency. 

17  (c)  Scope  of  Disclosure. — The  disclosure  of  pro- 

18  tected  health  information  under  this  section  shall  be  lim- 

19  ited  to  the  minimum  amount  necessary  to  accomplish  the 

20  purpose  for  which  the  disclosure  is  authorized. 

21  (d)  Restrictions  on  Additional  Disclosure. — 

22  Protected  health  information  about  an  individual  that  is 

23  disclosed  to  a  law  enforcement  agency  under  this  section — 

24  (1)  may  not  be  disclosed  for,  or  used  in,  any 

25  administrative,  civil,  or  criminal  action  or  investiga- 
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1  tion  against  the  individual,  except  in  an  action  or  in- 

2  vestigation  arising  out  of  and  directly  related  to  the 

3  action  or  investigation  for  which  the  information  was 

4  obtained;  and 

5  (2)  may  not  be  otherwise  used  or  disclosed  by 

6  the  law  enforcement  agency,  unless  the  use  or  disclo- 

7  sure  is  necessary  to  fulfill  the  purpose  for  which  the 

8  information  was  obtained  and  is  not  otherwise  pro- 

9  hibited  by  law. 

10  SEC.  212.  SUBPOENAS  AND  WARRANTS. 

11  (a)  In  General. — A  health  care  provider,  health 

12  benefit  plan,  health  oversight  agency,  employer,  or  person 

13  that  receives  protected  health  information  under  section 

14  208  may  disclose  protected  health  information  under  this 

15  section  if  the  disclosure  is  pursuant  to — 

16  (1)  a  subpoena  issued  under  the  authority  of  a 

17  grand  jury,  and  the  trustee  is  provided  a  written  cer- 

18  tification  by  the  grand  jury  seeking  the  information 

19  that  the  grand  jury  has  complied  with  the  applicable 

20  access  provisions  of  section  213; 

21  (2)  an  administrative  subpoena  or  a  judicial 

22  subpoena  or  warrant,  and  the  trustee  is  provided  a 

23  written  certification  by  the  person  seeking  the  infor- 

24  mation  that  the  person  has  complied  with  the  appli- 

25  cable  access  provisions  of  section  213  or  214;  or 
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1  (3)  an  administrative  subpoena  or  a  judicial 

2  subpoena  or  warrant,  and  the  disclosure  otherwise 

3  meets  the  conditions  of  section  205,  207,  208,  209, 

4  or  211. 

5  (b)  Restrictions  on  Additional  Disclosure. — 

6  Protected  health  information  about  an  individual  that  is 

7  received  under — 

8  (1)  subsection  (a)  may  not  be  disclosed  for,  or 

9  used  in,  any  administrative,  civil,  or  criminal  action 

10  or  investigation  against  the  individual,  except  in  an 

1 1  action  or  investigation  arising  out  of  and  directly  re- 

12  lated  to  the  inquiry  for  which  the  information  was 

13  obtained; 

14  (2)  subsection  (a)(2)  may  not  be  otherwise  dis- 

15  closed  by  the  recipient  unless  the  disclosure  is  nec- 

16  essary  to  fulfill  the  purpose  for  which  the  informa- 

17  tion  was  obtained;  and 

18  (3)  subsection  (a)(3)  may  not  be  disclosed  by 

19  the  recipient  unless  the  recipient  complies  with  the 

20  conditions  and  restrictions  on  disclosure  with  which 

21  the  recipient  would  have  been  required  to  comply  if 

22  the  disclosure  had  been  made  under  section  205, 

23  207,  208,  209,  or  211. 
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1  SEC.  213.  ACCESS  PROCEDURES  FOR  LAW  ENFORCEMENT 

2  SUBPOENAS  AND  WARRANTS. 

3  (a)  Probable  Cause  Requirement. — A  govern- 

4  ment  authority  may  not  obtain  protected  health  informa- 

5  tion  about  a  person  under  section  212(a)  (1)  or  (2)  for 

6  use  in  a  law  enforcement  inquiry  unless  there  is  probable 

7  cause  to  believe  that  the  information  is  relevant  to  a  legiti- 

8  mate  law  enforcement  inquiry  being  conducted  by  the  gov- 

9  ernment  authority. 

10  (b)  Warrants. — A  government  authority  that  ob- 

11  tains  protected  health  information  about  an  individual 

12  under  circumstances  described  in  subsection  (a)  and  pur- 

13  suant  to  a  warrant  shall,  not  later  than  30  days  after  the 

14  date  the  warrant  was  executed,  serve  the  individual  with, 

15  or  mail  to  the  last  known  address  of  the  individual,  a  no- 

16  tice  that  protected  health  information  about  the  individual 

17  was  so  obtained. 

18  (c)  Subpoenas. — Except  as  provided  in  subsection 

19  (d),  a  government  authority  may  not  obtain  protected 

20  health   information   about   an   individual   under  cir- 

21  cumstances  described  in  subsection  (a)  and  pursuant  to 

22  a  subpoena  unless  a  copy  of  the  subpoena  has  been  served 

23  on  the  individual  on  or  before  the  date  of  return  of  the 

24  subpoena,  together  with  a  notice  of  the  individual's  right 

25  to  challenge  the  subpoena  in  accordance  with  section  214, 

26  and — 
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1  (1)  30  days  have  passed  from  the  date  of  serv- 

2  ice  on  the  individual  and  within  that  time  period  the 

3  individual  has  not  initiated  a  challenge  in  accordance 

4  with  section  214;  or 

5  (2)  disclosure  is  ordered  by  a  court  after  chal- 

6  lenge  under  section  214. 

7  (d)  Application  for  Delay. — 

8  (1)  In  GENERAL. — A  government  authority  may 

9  apply  ex  parte  and  under  seal  to  an  appropriate 

10  court  to  delay  (for  an  initial  period  of  not  longer 

1 1  than  90  days)  serving  a  copy  of  a  subpoena  or  notice 

12  required  under  subsection  (b)  or  (c)  with  respect  to 

13  a  law  enforcement  inquiry.  The  government  author- 

14  ity  may  apply  to  the  court  for  extensions  of  the 

15  delay. 

16  (2)  Reasons  for  delay. — An  application  for 

17  a  delay,  or  extension  of  a  delay,  under  this  sub- 

18  section  shall  state,  with  reasonable  specificity,  the 

19  reasons  why  the  delay  or  extension  is  being  sought. 

20  (3)  Ex  parte  order. — The  court  shall  enter 

21  an  ex  parte  order  delaying,  or  extending  the  delay 

22  of,  notice  and  an  order  prohibiting  the  disclosure  of 

23  the  request  for  or  disclosure  of  the  protected  health 

24  information  and  an  order  requiring  the  disclosure  of 
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1  the  protected  health  information  if  the  court  finds 

2  that— 

3  (A)  the  inquiry  being  conducted  is  within 

4  the  lawful  jurisdiction  of  the  government  au- 

5  thority  seeking  the  protected  health  informa- 

6  tion; 

7  (B)  there  is  probable  cause  to  believe  that 

8  the  protected  health  information  being  sought  is 

9  relevant  to  a  legitimate  law  enforcement  in- 

10  quiry; 

11  (C)  the  government  authority's  need  for 

12  the  information  outweighs  the  privacy  interest 

13  of  the  individual  who  is  the  subject  of  the  infor- 

14  mation;  and 

15  (D)  there  is  reasonable  ground  to  believe 

16  that  receipt  of  notice  by  the  individual  will  re- 

17  suit  in — 

18  (i)  endangering  the  life  or  physical 

19  safety  of  any  individual; 

20  (ii)  flight  from  prosecution; 

21  (iii)  destruction  of  or  tampering  with 

22  evidence  or  the  information  being  sought; 

23  or 

24  (iv)    intimidation   of   potential  wit- 

25  nesses. 
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1  (c)  Proceedings. — The  government  authority  may 

2  file  with  the  court  such  papers,  including  affidavits  and 

3  other  sworn  documents,  as  sustain  the  validity  of  the  sub- 

4  poena.  The  movant  may  file  with  the  court  reply  papers 

5  in  response  to  the  authority's  filing.  The  court,  upon  the 

6  request  of  the  movant  or  the  government  authority  or 

7  both,  may  proceed  in  camera.  The  court  may  conduct  such 

8  proceedings  as  it  deems  appropriate  to  rule  on  the  motion, 

9  but  shall  endeavor  to  expedite  its  determination. 

10  (d)  Standard  for  Decision. — A  court  may  deny 

11  a  motion  under  subsection  (a)  if  it  finds  there  is  probable 

12  cause  to  believe  the  protected  health  information  being 

13  sought  is  relevant  to  a  legitimate  law  enforcement  inquiry 

14  being  conducted  by  the  government  authority,  unless  the 

15  court  finds  the  movant's  privacy  interest  outweighs  the 

16  government  authority's  need  for  the  information.  The 

17  movant  shall  have  the  burden  of  demonstrating  that  the 

18  individual's  privacy  interest  outweighs  the  need  estab- 

19  lished  by  the  government  authority  for  the  information. 

20  (e)  Specific  Considerations  With  Respect  to 

21  Privacy  Interest. — In  reaching  its  determination,  the 

22  court  shall  consider — 

23  (1)  the  particular  purpose  for  which  the  infor- 

24  mation  was  collected; 
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1  (2)  the  degree  to  which  disclosure  of  the  infor- 

2  mation  will  embarrass,  injure,  or  invade  the  privacy 

3  of  the  movant; 

4  (3)  the  effect  of  the  disclosure  on  the  movant's 

5  future  health  care; 

6  (4)  the  importance  of  the  inquiry  being  con- 

7  ducted  by  the  government  authority,  and  the  impor- 

8  tance  of  the  information  to  that  inquiry;  and 

9  (5)  any  other  factor  deemed  relevant  by  the 

10  court. 

11  (f)  Attorney's  Fees. — In  the  case  of  a  motion 

12  brought  under  subsection  (a)  in  which  the  movant  sub- 

13  stantially  prevails,  the  court  may  assess  against  the  gov- 

14  ernment  authority  a  reasonable  attorney's  fee  and  other 

15  litigation  costs  (including  expert  fees)  reasonably  incurred. 

16  (g)  No  Interlocutory  Appeal. — A  ruling  denying 

17  a  motion  to  quash  under  this  section  shall  not  be  deemed 

18  to  be  a  final  order,  and  no  interlocutory  appeal  may  be 

19  taken  therefrom  by  the  movant.  An  appeal  of  such  a  ruling 

20  may  be  taken  by  the  movant  within  such  period  of  time 

21  as  is  provided  by  law  as  part  of  any  appeal  from  a  final 

22  order  in  any  legal  proceeding  initiated  against  the  movant 

23  arising  out  of  or  based  upon  the  protected  health  informa- 

24  tion  disclosed. 
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1  (e)  Attorney's  Fees. — In  the  case  of  a  motion 

2  brought  under  subsection  (b)  in  which  the  movant  has 

3  substantially  prevailed,  the  court  may  assess  against  the 

4  respondent  a  reasonable  attorney's  fee  and  other  litigation 

5  costs  and  expenses  (including  expert's  fees)  reasonably  in- 

6  curred. 

7  SEC.  216.  SECURITY. 

8  (a)  In  General. — A  health  information  trustee  shall 

9  maintain  reasonable  and  appropriate  administrative,  tech- 

10  nical,  and  physical  safeguards — 

11  (1)  to  ensure  the  integrity  and  confidentiality  of 

12  protected  health  information  created  or  received  by 

13  the  trustee;  and 

14  (2)  to  protect  against  any  anticipated  threats  or 

15  hazards  to  the  security  or  integrity  of  such  informa- 

16  tion. 

17  (b)  Specific  Security  Measures. — The  security 

18  measures  adopted  by  a  health  information  trustee  shall  in- 

19  elude  the  following: 

20  (1)  Officers,  employees,  and  agents  of  the  trust- 

21  ee  who  have  access  to  protected  health  information 

22  created  by  the  trustee  shall  be  regularly  trained  in 

23  the  requirements  governing  such  information. 

24  (2)  Complete,  accurate,  and  readily  available 

25  records  shall  be  maintained,  if  the  maintenance  of 
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1  such  records  is  practicable,  taking  into  account  the 

2  technical  capabilities  of  the  system  used  to  maintain 

3  protected  health  information  and  the  costs  of  such 

4  maintenance. 

5  (3)  Appropriate  signs  and  warnings  shall  be 

6  posted  to  advise  of  the  need  to  secure  protected 

7  health  information. 

8  (c)  Regulations. — The  Secretary,  in  consultation 


9  with  the  Attorney  General,  shall  promulgate  regulations 

10  regarding  security  measures  for  protected  health  informa- 

1 1  tion. 

12  SEC.  217.  INSPECTION  OF  PROTECTED  HEALTH  INFORMA- 


13  TION. 

14  (a)  Inspection  of  Protected  Health  Informa- 

15  tion. — 

16  (1)  In  general. — Except  as  provided  in  para- 

17  graph  (2),  a  health  care  provider  or  health  benefit 

18  plan — 

19  (A)  shall  permit  an  individual  who  is  the 

20  subject  of  protected  health  information  to  in- 

21  spect  any  such  information  that  the  provider  or 

22  plan  maintains; 

23  (B)  shall  permit  the  individual  to  have  a 

24  copy  of  the  information; 


ii 


S  2129  PCS 


45 

1  vidual,  except  with  the  authorization  of  the  in- 

2  dividual  or  under  compulsion  of  law. 

3  (B)  Information  about  others. — The 

4  information  relates  to  an  individual  other  than 

5  the  individual  seeking  to  inspect  or  have  a  copy 

6  of  the  information  and  the  provider  or  plan  de- 

7  termines,  based  on  reasonable  medical  judg- 

8  ment,  that  inspection  or  copying  of  the  informa- 

9  tion  would  cause  sufficient  harm  to  1  or  both 

10  of  the  individuals  so  as  to  outweigh  the  desir- 

1 1  ability  of  permitting  access. 

12  (C)  Endangerment  to  life  or  safe- 

13  ty. — The  provider  or  plan  determines  that  dis- 

14  closure  of  the  information  could  reasonably  be 

15  expected  to  endanger  the  life  or  physical  safety 

16  of  any  individual. 

17  (D)  Confidential  source. — The  infor- 

18  mation  identifies  or  could  reasonably  lead  to  the 

19  identification  of  a  person  (other  than  a  health 

20  care  provider)  who  provided  information  under 

21  a  promise  of  confidentiality  to  a  health  care 

22  provider  concerning  the  individual  who  is  the 

23  subject  of  the  information. 

24  (E)    Administrative    purposes. — The 

25  information — 
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1  (i)  is  used  by  the  provider  or  plan 

2  solely  for  administrative  purposes  and  not 

3  in  the  provision  of  health  care  to  the  indi- 

4  vidual  who  is  the  subject  of  the  informa- 

5  tion;  and 

6  (ii)  has  not  been  disclosed  by  the  pro- 

7  vider  or  plan  to  any  other  person. 

8  (3)  Inspection  and  copying  of  segregable 

9  portion. — A  health  care  provider  or  health  benefit 

10  plan  shall  permit  inspection  and  copying  under  para- 

11  graph  (1)  of  any  reasonably  segregable  portion  of  a 

12  record  after  deletion  of  any  portion  that  is  exempt 

13  under  paragraph  (2). 

14  (4)  Conditions. — A  health  care  provider  or 

15  health  benefit  plan  may — 

16  (A)  require  a  written  request  for  the  in- 

17  spection  and  copying  of  protected  health  infor- 

18  mation  under  this  subsection;  and 

19  (B)  charge  a  reasonable  fee  (not  greater 

20  than  the  actual  cost)  for — 

21  (i)  permitting  inspection  of  informa- 

22  tion  under  this  subsection;  and 

23  (ii)   providing  a  copy  of  protected 

24  health  information  under  this  subsection. 
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1  (5)  Statement  of  reasons  for  denial. — If 

2  a  health  care  provider  or  health  benefit  plan  denies 

3  a  request  for  inspection  or  copying  under  this  sub- 

4  section,  the  provider  or  plan  shall  provide  the  indi- 

5  vidual  who  made  the  request  (or  the  individual's  des- 

6  ignated  representative)  with  a  written  statement  of 

7  the  reasons  for  the  denial. 

8  (6)  Deadline. — A  health  care  provider  or 

9  health  benefit  plan  shall  comply  with  or  deny  a  re- 

10  quest  for  inspection  or  copying  of  protected  health 

11  information  under  this  subsection  within  the  30-day 

12  period  beginning  on  the  date  on  which  the  provider 

13  or  plan  receives  the  request. 

14  SEC.  218.  AMENDMENT  OF  PROTECTED  HEALTH  INFORMA- 

15  TION. 

16  (a)  In  General. — A  health  care  provider  or  health 

17  benefit  plan  that  is  required  to  comply  with  this  subsection 

18  shall,  within  the  45-day  period  beginning  on  the  date  on 

19  which  the  provider  or  plan  receives  from  an  individual  a 

20  written  request  that  the  provider  or  plan  correct  or  amend 

21  the  information — 

22  (1)  make  the  correction  or  amendment  re- 

23  quested; 

24  (2)  inform  the  individual  of  the  correction  or 

25  amendment  that  has  been  made; 
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1  (3)  inform  any  regional  data  center  to  which 

2  the  uncorrected  or  unamended  portion  of  the  infor- 

3  mation  was  previously  disclosed,  of  the  correction  or 

4  amendment; 

5  (4)  inform  any  person  who  is  identified  by  the 

6  individual,  who  is  not  an  officer,  employee  or  agent, 

7  of  the  provider  or  plan,  and  to  whom  the  uncor- 

8  rected  or  unamended  portion  of  the  information  was 

9  previously  disclosed,  of  the  correction  or  amendment 

10  that  has  been  made. 

1 1  (b)  Refusal  To  Correct. — If  the  provider  or  plan 

12  refuses  to  make  the  corrections,  the  provider  or  plan  shall 

13  inform  the  individual  of — 

14  (1)  the  reasons  for  the  refusal  of  the  provider 

15  or  plan  to  make  the  correction  or  amendment; 

16  (2)  any  procedures  for  further  review  of  the  re- 

17  fusal;  and 

18  (3)  the  individual's  right  to  file  with  the  pro- 

19  vider  or  plan  a  concise  statement  setting  forth  the 

20  requested  correction  or  amendment  and  the  individ- 

21  ual's  reasons  for  disagreeing  with  the  refusal  of  the 

22  provider  or  plan. 

23  (c)  Bases  for  Request  to  Correct  or  Amend. — 

24  An  individual  may  request  correction  or  amendment  of 

25  protected  health  information  about  the  individual  under 
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1  paragraph  (d)  if  the  information  is  not  timely,  accurate, 

2  relevant  to  the  system  of  records,  or  complete. 

3  (d)  Statement  of  Disagreement. — After  an  indi- 

4  vidual  has  filed  a  statement  of  disagreement  under  para- 

5  graph  (b)(3),  the  provider  or  plan,  in  any  subsequent  dis- 

6  closure  of  the  disputed  portion  of  the  information — 

7  (1)  shall  include  a  copy  of  the  individual's 

8  statement;  and 

9  (2)  may  include  a  concise  statement  of  the  rea- 

10  sons  of  the  provider  or  plan  for  not  making  the  re- 

1 1  quested  correction  or  amendment. 

12  (e)  Rule  of  Construction. — This  subsection  shall 

13  not  be  construed  to  require  a  health  care  provider  or 

14  health  benefit  plan  to  conduct  a  formal,  informal,  or  other 

15  hearing  or  proceeding  concerning  a  request  for  a  correc- 

16  tion  or  amendment  to  protected  health  information  the 

17  provider  or  plan  maintains. 

18  (f)  Correction. — For  purposes  of  paragraph  (2),  a 

19  correction  is  deemed  to  have  been  made  to  protected 

20  health  information  when  information  that  is  not  timely, 

21  accurate,  relevant  to  the  system  of  records,  or  complete 

22  is  clearly  marked  as  incorrect  or  when  supplementary  cor- 

23  rect  information  is  made  part  of  the  information. 

24  (g)  Notice  of  Information  Practices. — 


S  2129  PCS 


50 

1  (1)  Preparation  of  written  notice. — A 

2  health  care  provider  or  health  benefit  plan  shall  pre- 

3  pare  a  written  notice  of  information  practices  de- 

4  scribing  the  following: 

5  (A)  Personal  rights  of  an  indivtd- 

6  UAL. — The  rights  under  this  section  of  an  indi- 

7  vidual  who  is  the  subject  of  protected  health  in- 

8  formation,  including  the  right  to  inspect  and 

9  copy  such  information  and  the  right  to  seek 

10  amendments  to  such  information,  and  the  pro- 

11  cedures  for  authorizing  disclosures  of  protected 

12  health  information  and  for  revoking  such  au- 

13  thorizations. 

14  (B)    Procedures    of    provider  or 

15  plan. — The  procedures  established  by  the  pro- 

16  vider  or  plan  for  the  exercise  of  the  rights  of  in- 

17  dividuals  about  whom  protected  health  informa- 

18  tion  is  maintained. 

19  (C)  Authorized  disclosures. — The  dis- 

20  closures  of  protected  health  information  that 

21  are  authorized. 

22  (2)  Dissemination  of  notice. — A  health  care 

23  provider  or  health  benefit  plan — 
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1  (A)  shall,  upon  request,  provide  any  indi- 

2  vidual  with  a  copy  of  the  notice  of  information 

3  practices  described  in  paragraph  (1);  and 

4  (B)  shall  make  reasonable  efforts  to  inform 

5  individuals  in  a  clear  and  conspicuous  manner 

6  of  the  existence  and  availability  of  the  notice. 

7  (3)  Model  notice. — Not  later  than  July  1, 

8  1996,  the  Secretary,  after  consultation  with  the  At- 

9  torney  General  and  after  notice  and  opportunity  for 

10  public  comment,  shall  develop  and  disseminate  a 

11  model  notice  of  information  practices  for  use  by 

12  health  care  providers  and  health  benefit  plans  under 

13  this  section. 

14  SEC.  219.  ACCOUNTING  FOR  DISCLOSURES. 

15  (a)  In  General. — A  health  care  provider  or  health 

16  benefit  plan  that  is  required  to  comply  with  this  subsection 

17  shall  create  and  maintain,  with  respect  to  any  protected 

18  health  information  disclosed,  a  record  of — 

19  (1)  the  date  and  purpose  of  the  disclosure; 

20  (2)  the  name  of  the  person  to  whom  the  disclo- 

21  sure  was  made; 

22  (3)  the  address  of  the  person  to  whom  the  dis- 

23  closure  was  made  or  the  location  to  which  the  disclo- 

24  sure  was  made;  and 
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1  (4)  the  information  disclosed,  if  the  recording  of 

2  the  information  disclosed  is  practicable,  taking  into 

3  account  the  technical  capabilities  of  the  system  used 

4  to  maintain  the  record  and  the  costs  of  such  mainte- 

5  nance. 

6  (b)  Disclosure  Record  Part  of  Information. — 

7  A  record  created  and  maintained  under  paragraph  (a) 

8  shall  be  maintained  as  part  of  the  protected  health  infor- 

9  mation  to  which  the  record  pertains,  except  for  requests 

10  from  and  disclosures  to  health  oversight  agencies. 

1 1  SEC.  220.  STANDARDS  FOR  ELECTRONIC  DOCUMENTS  AND 

12  COMMUNICATIONS. 

13  Not  later  than  July  1,  1996,  the  Attorney  General, 

14  in  consultation  with  the  Secretary  and  after  notice  and 

15  opportunity  for  public  comment,  shall  promulgate  stand- 

16  ards  with  respect  to  the  creation,  transmission,  receipt, 

17  and  maintenance,  in  electronic  form,  of  each  written  docu- 

18  ment  required  or  authorized  under  this  title.  When  a  sig- 

19  nature  is  required  with  respect  to  a  written  document 

20  under  any  other  provision  of  this  title,  such  standards 

21  shall  provide  for  an  electronic  substitute  that  serves  the 

22  functional  equivalent  of  a  signature. 

23  SEC.  221.  RIGHTS  OF  INCOMPETENTS. 

24  (a)  Effect  of  Declaration  of  Incompetence. — 

25  Except  as  provided  in  section  222,  if  an  individual  has 
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1  been  declared  to  be  incompetent  by  a  court  of  competent 

2  jurisdiction,  the  rights  of  the  individual  under  this  section 

3  shall  be  exercised  and  discharged  in  the  best  interests  of 

4  the  individual  through  an  authorized  legal  representative. 

5  (b)  No  Court  Declaration. — Except  as  provided 

6  in  section  222,  if  a  health  care  provider  determines  that 

7  an  individual,  who  has  not  been  declared  to  be  incom- 

8  petent  by  a  court  of  competent  jurisdiction,  suffers  from 

9  a  medical  condition  that  prevents  the  individual  from  act- 
io ing  knowingly  or  effectively  on  the  individual's  own  behalf, 

1 1  the  right  of  the  individual  to  authorize  disclosure  may  be 

12  exercised  and  discharged  in  the  best  interest  of  the  individ- 

13  ual  by  the  individual's  next  of  kin. 

14  SEC.  222.  RIGHTS  OF  MINORS. 

15  (a)  Individuals  Who  Are  18  or  Legally  Capa- 

16  BLE. — In  the  case  of  an  individual — 

17  (1)  who  is  18  years  of  age  or  older,  all  rights 

18  of  the  individual  shall  be  exercised  by  the  individual; 

19  or 

20  (2)  who,  acting  alone,  has  the  legal  right,  as  de- 

21  termined  by  State  law,  to  apply  for  and  obtain  a 

22  type  of  medical  examination,  care,  or  treatment  and 

23  who  has  sought  such  examination,  care,  or  treat- 

24  ment,  the  individual  shall  exercise  all  rights  of  an  in- 

25  dividual  under  this  title  with  respect  to  protected 
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1  health  information  relating  to  such  examination, 

2  care,  or  treatment. 

3  (b)  Individuals  Under  18. — Except  as  provided  in 

4  subsection  (a)(2),  in  the  case  of  an  individual  who  is — 

5  (1)  under  14  years  of  age,  all  the  individual's 

6  rights  under  this  title  shall  be  exercised  through  the 

7  parent  or  legal  guardian  of  the  individual;  or 

8  (2)  14,  15,  16,  or  17  years  of  age,  the  rights 

9  of  inspection  and  amendment,  and  the  right  to  au- 

10  thorize  disclosure  of  protected  health  information  of 

1 1  the  individual  may  be  exercised  either  by  the  individ- 

12  ual  or  by  the  parent  or  legal  guardian  of  the  individ- 

13  ual. 

14  SEC.  223.  NO  LIABILITY  FOR  PERMISSIBLE  DISCLOSURES. 

15  A  health  information  trustee  who  makes  a  disclosure 

16  of  protected  health  information  about  an  individual  that 

17  is  permitted  by  this  title  shall  not  be  liable  to  the  individ- 

1 8  ual  for  the  disclosure  under  common  law. 

19  SEC.   224.   NO  LIABILITY  FOR  INSTITUTIONAL  REVIEW 

20  BOARD  DETERMINATIONS. 

21  If  the  members  of  an  institutional  review  board  make 

22  a  determination  in  good  faith  that — 

23  (1)  a  health  research  project  is  of  sufficient  im- 

24  portance  to  outweigh  the  intrusion  into  the  privacy 

25  of  an  individual;  and 


55 

1  (2)  the  effectiveness  of  the  project  requires  use 

2  of  protected  health  information, 

3  the  members,  the  board,  and  the  parent  institution  of  the 

4  board  shall  not  be  liable  to  the  individual  as  a  result  of 

5  the  determination. 

6  SEC.  225.  GOOD  FAITH  RELIANCE  ON  CERTIFICATION. 

7  A  health  information  trustee  who  relies  in  good  faith 

8  on  a  certification  by  a  government  authority  or  other  per- 

9  son  and  discloses  protected  health  information  about  an 

10  individual  in  accordance  with  this  title  shall  not  be  liable 

11  to  the  individual  for  such  disclosure. 

12  SEC.  226.  CIVIL  PENALTY. 

13  (a)  Violation. — Any  health  information  trustee  who 

14  the  Secretary  determines  has  substantially  failed  to  com- 

15  ply  with  this  title  shall  be  subject,  in  addition  to  any  other 

16  penalties  that  may  be  prescribed  by  law,  to  a  civil  penalty 

17  of  not  more  than  $10,000  for  each  such  violation. 

18  (b)  Procedukes  for  Imposition  of  Penalties. — 

19  Section  1128A  of  the  Social  Security  Act  (42  U.S.C. 

20  1320a-7a),  other  than  subsections  (a)  and  (b)  and  the 

21  second  sentence  of  subsection  (f)  of  that  section,  shall 

22  apply  to  the  imposition  of  a  civil  monetary  penalty  under 

23  this  section  in  the  same  manner  as  such  provisions  apply 

24  with  respect  to  the  imposition  of  a  penalty  under  section 

25  1128Aof  that  Act. 
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1  SEC.  227.  CIVIL  ACTION. 

2  (a)  In  General. — An  individual  who  is  aggrieved  by 

3  conduct  in  violation  of  this  title  may  bring  a  civil  action 

4  to  recover — 

5  (1)  the  greater  of  actual  damages  or  liquidated 

6  damages  of  $5,000; 

7  (2)  punitive  damages; 

8  (3)  a  reasonable  attorney's  fee  and  expenses  of 

9  litigation; 

10  (4)  costs  of  litigation;  and 

11  (5)  such  preliminary  and  equitable  relief  as  the 

12  court  determines  to  be  appropriate. 

13  (b)  Limitation. — No  action  may  be  commenced 


14  under  this  section  more  than  3  years  after  the  date  on 

15  which  the  violation  was  or  should  reasonably  have  been 

16  discovered. 

17  SEC.  228.  RELATIONSHIP  TO  OTHER  LAWS. 

18  (a)  State  Law. — Except  as  provided  in  subsections 

19  (b),  (c),  and  (d),  this  title  preempts  any  State  law  to  the 

20  extent  that  such  law  is  inconsistent  with  this  title. 

21  (b)  Laws  Relating  to  Public  Health. — Nothing 

22  in  this  title  is  intended  to  preempt  or  operate  to  the  exclu- 

23  sion  of  any  State  public  health  law  that  prevents  or  regu- 

24  lates  disclosure  of  protected  health  information  otherwise 

25  allowed  under  this  Act. 
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1  (c)  Privileges. — Nothing  in  this  title  is  intended  to 

2  preempt  or  modify  State  common  or  statutory  law  to  the 

3  extent  such  law  concerns  a  privilege  of  a  witness  or  person 

4  in  a  court  of  the  State.  This  title  does  not  supersede  or 

5  modify  Federal  common  or  statutory  law  to  the  extent 

6  such  law  concerns  a  privilege  of  a  witness  or  person  in 

7  a  court  of  the  United  States. 

8  (d)  Certain  Duties  Under  State  or  Federal 

9  Law. — This  title  shall  not  be  construed  to  preempt,  super- 

10  sede,  or  modify  the  operation  of — 

11  (1)  any  law  that  provides  for  the  reporting  of 

12  vital  statistics  such  as  birth  or  death  information; 

13  (2)  any  law  requiring  the  reporting  of  abuse  or 

14  neglect  information  about  any  individual; 

15  (3)  subpart  II  of  part  E  of  title  XXVI  of  the 

16  Public  Health  Service  Act  (relating  to  notifications 

17  of  emergency  response  employees  of  possible  expo- 

18  sure  to  infectious  diseases);  or 

19  (4)  any  Federal  law  that  prevents  or  regulates 

20  disclosure  of  protected  health  information. 
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